1

I am working on a client-server application where server is a web server which performs client validation based on SSL certificate. Server trust a Root CA certificate. Client is a windows application developed in C++ which has a certificate signed by intermediate CA which in turn signed by Root CA. I am able to set client certificate during https connection by calling WinHttpSetOption api with WINHTTP_OPTION_CLIENT_CERT_CONTEXT as option. However this will set only client certificate but not the entire chain. Server does not have intermediate CA in its store hence it is not able to authenticate the client.

Is there a way to set the full client certificate chain in WinHttp, provided the full chain is already present in certificate store of client?

Vishnu Pedasingu
  • 49
  • 1
  • 4

3 Answers3

1

The server has to have the CA certificate beforehand, it's not going to trust the root CA the client hands it. (I'm not sure about whether it (the server-side) would trust an intermediate CA signed by a trusted CA but my inclination says no).

Trusting some random CA a client sends would break the entire point of certificate verification, you would have no idea of whether the data the client submits is actually meaningful. So add the root and intermediate CA certificates to the server's certificate stores. (If you don't have access to that you'll have to talk to an admin and have them do it).

SoronelHaetir
  • 14,104
  • 1
  • 12
  • 23
  • Server has a Root CA that it trusts (say 'A'). Client has a certificate (say 'C'). It is derived from cert A (A -> B -> C, where cert B is intermediate cert which server does not have). – Vishnu Pedasingu Dec 06 '17 at 01:03
0

I'm not really seeing anything wrong with what you are doing.

You are implementing mTLS. The client side has a private key that it uses to validate itself to the Server. Most times the client will generate this private key itself and get is signed via CSR. In your case you have some CA generate it for you.

mTLS is used in place of some other sort of login a client might do to a server. The client itself doesnt care about the cert chain. The client doesnt need to validate itself. It just sends a token encoded via its private key. The server DOES need the root or intermediate cert in order to validate the key the client has sent. Usually you just install this root into your normal cert store (server side) so the server can validate the client.

Andrew Robinson
  • 94
  • 7
-1

Only I could find was to Add Sub CA to system store. During service startup or installation, open the CA certificate store and Add certificate context to it.

Vishnu Pedasingu
  • 49
  • 1
  • 4